Security Operations Fundamentals > [T2]: Lab - Microsoft Sentinel SIEM Overview
Overview of Microsoft Sentinel SIEM
As the previous definition indicates, it is a cloud-native solution. It means you will not need the hustle to deploy the solutions locally. Instead, you need to enable the service from the Azure portal and connect all your data sources. The main core capabilities of Microsoft Sentinel are:
- Data Connection (at large-scale): Data connections are major components of SIEM solutions. For the solution to identify attacks, it is crucial to forward events generated by the organization's assets to the SIEM solution. Microsoft Sentinel offers a large set of built-in connectors that you can use to ship logs. There is no need to deploy log storage and parsing pipelines.
- Threat Detection: Microsoft Sentinel has different capabilities to detect cyber attacks effectively and rapidly identify malicious activities. Detection rules (Analytics), Artificial intelligence (AI), and Machine Learning models are some detection capabilities.
- Incident Investigation: Once an alert is triggered, analysts will be provided a complete space to investigate incidents and determine what happened during an attack.
- Responding to Incidents: Responding promptly to incidents is essential in incident response. It is crucial to slow down the attacker and prevent them from causing more damage. Microsoft Sentinel provides analysts with automation functionalities to respond to incidents rapidly and prevent alert fatigue.
Figure - zoom in
To access Microsoft Sentinel,
- Go to the "Azure Portal".
- Log in as per the lab guide.
- Search for "Microsoft Sentinel".
Figure - zoom in
Click on “cyberdefenders”.
Figure - zoom in
Voila! Now you are ready
to experiment with Microsoft Sentinel. You can access
helpful information through the main dashboard/page, such as
the number of events, alerts, incidents, live threat map,
etc.
Figure - zoom in
Change the time range to 31 Aug 2022 - 5 Oct
2022.
Figure - zoom in